Sun Java System Directory Server Enterprise Edition 6.2 Reference

Access, Error, and Audit Logs

Access logs, error logs and audit logs are flat files that contain information about operations. For information about how to view and configure logs, see Chapter 14, Directory Server Logging, in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.

By default, the logs are stored in the directory instance-path/logs/.

Log files can be rotated on demand, or can be scheduled to be rotated on a specific day-of-the week and time of day, or when the log file exceeds a specified minimum size.

Old log files are stored in the same path with the same name and an extension that contains the date that the file was created, in the format filename.YYYYMMDD-hhmmss. The server also maintains a file with the same name and the .rotationinfo extension to record the creation dates of all log files.

For information about access logs, error logs and audit logs, see the following sections:

Access Logs

Access logs contain information about connections between an LDAP client and a directory server. A connection is a sequence of requests from the same client, and can contain the following components:

Error Logs

Error logs contain a unique identifier of the error, warning or information message, and a human readable message. Errors are defined according to the following severity.

Error

The error is severe. Immediate action should be taken to avoid the loss or corruption of directory data.

Warning

The error is important. Action should be taken at some stage to prevent a severe error occurring in the future.

Info

An informative message, usually describing server activity. No action is necessary.

Audit Logs

Audit logs contain records of all modifications to configuration or suffix entries. The modifications are written in LDIF format.

Audit logging is not enabled by default. To enable audit logging, use the procedure To Enable the Audit Log in Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.

Content of Access, Error, and Audit Logs

The remainder of this chapter describes each of the parts of the log files.

Time Stamp

Each line of an access log file begins with a timestamp of this format:[20/Dec/2006:11:39:51 -0700]. The time stamp, -0700 indicates the time difference in relation to GMT.

The format of the time stamp can vary according to your platform. The connection, closed, and abandon records appear individually. All other records appear in pairs, consisting of a request for service record followed by a result record. The record pairs usually, but not exclusively, appear on adjacent lines.

Connection Number

The connection number is represented by conn=value. Every external request is listed with an incremental connection number.

When conn=Internal the operation is an internal operation. To log internal access operations, specify an access logging level of acc-internal in the dsconf configuration attribute.

File Descriptor

The file descriptor is represented by fd=value.

Every connection from an external LDAP client to a directory server requires a file descriptor from the operating system. The file descriptor is taken from a pool of available file descriptors.

Slot Number

The slot number has the same meaning as file descriptor. Slot number is a legacy section of the access log and can be ignored.

Operation Number

The operation number is represented by op=value.

For a connection, all operation request and result pairs are given incremental operation numbers beginning with op=0. The operation number identifies the operation being performed.

When op=-1, the LDAP request for the connection was not issued by an external LDAP client, but was initiated internally.

Method Type

The method type is represented by method=value.

The method type indicates which bind method was used by the client. The method type can have one of the following values.

0

No authentication

128

Simple bind with user password

sasl

SASL bind using external authentication mechanism

LDAP Version

The LDAP version can be LDAPv2 or LDAPv3. The LDAP version gives the LDAP version number that the LDAP client used to communicate with the LDAP server.

Error Number

The error number is represented by err=number.

The error number provides the LDAP result code returned from the LDAP operation. The LDAP error number 0 means that the operation was successful. For a list of LDAP result codes refer to Result Codes in Log Files.

Tag Number

The tag number is represented by tag=value.

The tags are used internally for message decoding and are not intended for use outside. The following tags are used most often.

tag=97

A client bind operation

tag=100

The entry for which you were searching

tag=101

The result from a search operation

tag=103

The result from a modify operation

tag=105

The result from an add operation

tag=107

The result from a delete operation

tag=109

The result from a modify DN operation

tag=111

The result from a compare operation

tag=115

A search reference when the entry you perform your search on holds a referral to the entry you require. Search references are expressed in terms of a referral.

tag=120

A result from an extended operation

Number of Entries

The number of entries is represented by nentries=value.

The number of entries indicates the number of entries that matched an LDAP search request.

Elapsed Time

The elapsed time is represented by etime=value.

Elapsed time indicates the time that it took to perform the LDAP operation. An etime value of 0 means that the operation took milliseconds to perform.

To log the time in microseconds, specify an access logging level of acc-timing in the dsconf configuration attribute.

LDAP Request Type

The LDAP request type indicates the type of LDAP request made by the client. The following types of LDAP requests can be made:

SRCH

Search

MOD

Modify

DEL

Delete

ADD

Add

MODDN

Modify DN

EXT

Extended operation

ABANDON

Abandon operation

LDAP Response Type

The LDAP response type indicates the LDAP response being returned by the server. The following LDAP responses can be returned:

RESULT

Result

ENTRY

Entry

REFERRAL

Referral or search reference

Unindexed Search Indicator

The unindexed search indicator is represented by notes=U.

In an unindexed search, the database is searched instead of the index file. Unindexed searches occur for the following reasons:

An unindexed search indicator is often accompanied by a large etime value because unindexed searches are usually more time consuming than indexed searches.

Extended Operation OID

An extended operation OID is represented by EXT oid="OID number". See extended-operations(5dsconf) for a list of supported extended operations.

Change Sequence Number in Log Files

The replication change sequence number is represented in log files by csn=value.

The presence of a change sequence number indicates that replication is enabled for this naming context.

Abandon Message

The abandon message is represented by ABANDON.

The presence of the abandon message indicates that an operation has been aborted. If the message ID succeeds in locating the operation that has been aborted, the log message reads as follows:

conn=12 op=2 ABANDON targetop=1 msgid=2 nentries=0 etime=0

However, if the message ID does not succeed in locating the operation, or if the operation had already finished prior to the ABANDON request being sent, then the log message reads as follows:

conn=12 op=2 ABANDON targetop=NOTFOUND msgid=2

The abandon message uses the following parameters:

nentries

Gives the number of entries sent before the operation was aborted

etime

Gives the number of seconds that elapsed before the operation was aborted

targetop

Identifies the operation to be aborted. If the value is NOTFOUND, the operation to be aborted was either an unknown operation or already complete

Message ID

The message ID is represented by msgId=value.

The message ID is the LDAP operation identifier generated by the client. The message ID can have a different value to the operation number, but identifies the same operation. The message ID in an ABANDON operation specifies which client operation is being abandoned.

The operation number starts counting at 0. However, in many client implementations the message ID number starts counting at 1. This explains why the message ID is frequently equal to the operation number plus 1.

SASL Multi-Stage Bind Logging

Directory Server logs each stage in the multi stage bind process and, where appropriate, the progress statement SASL bind in progress is included.

The DN used for access control decisions is logged in the BIND result line and not in the bind request line.

conn=14 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=myname,dc=example,dc=com"

For SASL binds, the DN value displayed in the BIND request line is not used by the server and is, therefore, not relevant. However, for SASL binds, the authenticated DN must be used for audit purposes. Therefore, the authenticated DN must be clearly logged. Having the authenticated DN logged in the BIND result line avoids any confusion as to which DN is which.

Options Description

The options description, options=persistent, indicates that a persistent search is being performed. Persistent searches can be used as a form of monitoring and can be configured to return changes to given configurations. The access log distinguishes between persistent and regular searches.

Connection Codes in Log Files

A connection code is included in the closing message of a log file. The connection code provides additional information about why the connection was closed. The following table describes the common connection codes.

Table 7–2 Summary of Connection Codes

Connection Code 

Description 

A1 

The client has closed the connection without performing an UNBIND. 

B1 

This connection code can have one of the following causes: 

  • The client has closed the connection without performing an UNBIND.

  • The BER element was corrupt. If BER elements, which encapsulate data being sent over the wire, are corrupt when they are received, a B1 connection code is logged to the access log. BER elements can be corrupted by physical layer network problems or bad LDAP client operations, such as an LDAP client aborting before receiving all request results.

B2 

The BER element is longer than the nsslapd-maxbersize attribute value.

B3 

A corrupt BER tag was encountered. 

B4 

The server failed to flush data response back to client. This code can occur when the client closes the connection to the server, before the server finished sending data to the client. 

P1 

The client connection was closed by a custom plug-in. None of the plug-ins provided by Directory Server close a connection. 

P2 

A closed connection or corrupt connection has been detected. 

T1 

The server closed the client connection because it was idle for longer than the idle-timeout server property.

T2 

The server closed the client connection because it was stalled for longer than the nsslapd-ioblocktimeout attribute value. This code can occur for the following reasons:

  • There is a network problem.

  • The server sends a lot of data to the client but the client does not read the data. As a result, the server’s transmit buffer becomes full.

U1 

The server closed the client connection because client sent an UNBIND request. 

Result Codes in Log Files

The following tables summarizes the LDAP result codes generated by an LDAP server and an LDAP client.

Table 7–3 Summary of Result Codes for LDAP Servers

Result Code 

Description 

Success 

Operations error 

Protocol error 

Time limit exceeded 

Size limit exceeded 

Compare false 

Compare true 

Authentication method not supported 

Strong authentication required 

Partial results and referral received 

10 

Referral received 

11 

Administrative limit exceeded 

12 

Unavailable critical extension 

13 

Confidentiality required 

14 

SASL bind in progress 

16 

No such attribute 

17 

Undefined attribute type 

18 

Inappropriate matching 

19 

Constraint violation 

20 

Type or value exists 

21 

Invalid syntax 

32 

No such object 

33 

Alias problem 

34 

Invalid DN syntax 

35 

Object is a leaf 

36 

Alias de-referencing problem 

48 

Inappropriate authentication 

49 

Invalid credentials 

50 

Insufficient access 

51 

Server is busy 

52 

Server is unavailable 

53 

Server is unwilling to perform 

54 

Loop detected 

64 

Naming violation 

65 

Object class violation 

66 

Operation not permitted on a non-leaf entry 

67 

Operation not permitted on a RDN 

68 

Entry already exists 

69 

Cannot modify object class 

70 

Results too large 

71 

Affects multiple servers 

76 

Virtual list view error 

Table 7–4 Summary of Result Codes for LDAP Clients

Result Code 

Description 

80 

Unknown error 

81 

Cannot contact LDAP server 

82 

Local error 

83 

Encoding error 

84 

Decoding error 

85 

Timed out 

86 

Unknown authentication method 

87 

Bad search filter 

88 

User cancelled operation 

89 

Bad parameter to an LDAP routine 

90 

Out of memory 

91 

Cannot connect to the LDAP server 

92 

Not supported by this version of LDAP 

93 

Requested LDAP control not found 

94 

No results returned 

95 

Additional results to return 

96 

Client detected loop 

97 

Referral hop limit exceeded